Options -Indexes
Options -MultiViews

# Deny access to everything by default
<FilesMatch "\.php$">
    Require all denied
</FilesMatch>

# Allow only index.php and install.php in this public directory
<FilesMatch "^(index|install)\.php$">
    Require all granted
</FilesMatch>

RewriteEngine On

# Rewrite base: adjust if app is in a subdirectory
# The RewriteBase is set dynamically based on APP_BASE_PATH

# Skip rewrite for actual files and directories
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# Route everything else to index.php
RewriteRule ^ index.php [L]

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Block access to hidden files and directories
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Prevent direct access to PHP files in asset directories
<Directory "assets">
    <FilesMatch "\.php$">
        Require all denied
    </FilesMatch>
</Directory>
